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ABSTRACT 

A  method  for  evaluating  security  models  is 
developed  and  applied  to  the  model  of  Bell  and 
LaPadula.  The  method  shows  the  inadequacy  of 
the  Bell  and  LaPadula  model,  in  particular,  and 
the  impossibility  of  any  adequate  definition  of  a 
secure  system  based  solely  on  the  notion  of  a 
secure  state.  The  implications  for  the 
fruitfulness  of  seeking  a  global  definition  of  a 
secure  system  and  for  the  state  of  foundational 
research  in  computer  security,  in  general,  is 
discussed. 


And  so  of  the  virtues,  however  many 
and  different  they  may  be,  they  have 
all  a  common  nature  which  makes 
them  virtues;  and  on  this  he  who 
would  answer  the  question,  ‘What  is 
virtue?’  would  do  well  to  have  his  eye 
fixed. 

Plato,  Me  no  (B.  Jowett  trans.)  72c6-dl 

For  if  you  look  at  them  you  will  not  see 
something  that  is  common  to  all,  but 
similarities,  relationships,  and  whole 
series  of  them  at  that... I  can  think  of  no 
better  expression  to  characterize  these 
similarities  than  “family  resemblance”... 

Wittgenstein  [1,  §66-7] 

If  a  concept  fundamental  to  a  mighty 
science  gives  rise  to  difficulties,  then  it 
is  surely  an  imperative  task  to 
investigate  it  more  closely  until  those 
difficulties  are  overcome... 

Frege  [2,  p.  II] 

1.  Introduction 

Security  is  an  especially  hard  property  to 
prove  rigorously  about  a  program.  It’s  not 


that  proofs  about  security  are  intrinsically  more 
difficult  than  proofs  about  other  properties, 
but  rather  that  the  concept  security,  itself,  is 
harder  to  explicate.  For  this  reason,  there  has 
been  a  great  deal  of  focus  on  rigorously 
defining  the  concept  of  security,  or  in  the  jargon 
of  the  trade,  constructing  formal  security 
models.  Such  explications  are  important,  for 
without  them,  many  would  regard  it  as 
impossible  to  establish  in  any  meaningful  way 
that  a  program  is  secure. 

The  security  model  developed  by  Bell  and 
LaPadula  [3]  is  the  most  widely  accepted  basis 
for  verifying  the  security  of  systems  [4],  It  has 
been  argued  [5]  that  one  reason  developers 
should  have  confidence  in  the  security  provided 
by  systems  based  on  this  model  is  a  theorem, 
called  the  “Basic  Security  Theorem”  (BST), 
proven  about  a  formalization  of  the  model  by 
its  authors  [3,  p.  90,  corollary  Al].  However, 
this  confidence  is  misplaced  since  the  BST  can 
be  proven  for  systems  that  directly  contradict 
the  notion  of  security  embodied  in  the  Bell- 
LaPadula  model  [6], 

This  paper  presents  a  method  for  evaluating 
security  models  and  applies  the  method  to  the 
Bell-LaPadula  model.  The  results  cast  doubt  on 
the  Bell-LaPadula  model  and  the  fruitfulness  of 
seeking  global  definitions  of  security.  The 
existence  of  differing  interpretations  of  the 
model  cast  doubt  on  the  status  of  computer 
security’s  foundations  in  general. 

2.  How  to  Lend  Credence  to  a  Security 
Model 

Current  security  models  are  formulated  in 
terms  of  the  concept  of  a  secure  state,  i.  e.,  a 
definition  that  places  restrictions  on  what  a 
state  can  look  like,  a  secure  transform,  i.  e.,  a 
definition  that  places  restrictions  on  what  a 
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Bell-LaPadula  model’s  definition  of  secure 
system,  it  fails  to  satisfy  the  conditions  required 
by  our  definition  of  a  secure  action.  The  fact 
that  a  definition  of  a  secure  system  formulated 
in  terms  of  our  definition  of  a  secure  action  is 
supposed  to  explicate  the  same  concept  as  Bell 
and  LaPadula’s  definition  shows  that  either  the 
former  is  too  narrow  or  the  latter  is  too  wide. 

The  fact  that  system  Z  gives  all  subjects 
access  to  all  objects  shows  that  it  is  the  Bell- 
LaPadula  model  that  is  inadequate.  In  fact,  it 
should  be  clear  that  any  explication  of  security 
based  solely  on  the  notion  of  a  secure  state 
must  fail  for  a  similar  reason.  At  best  such  an 
explication  can  serve  as  a  definition  a  secure 
initial  state.  The  concept  of  a  secure  system 
must  be  explicated  as  one  whose  initial  state  is 
secure  and  whose  system  transform  is  secure. 

5.  The  Bell  and  LaPadula  Model 
Reconsidered 

When  presented  with  system  Z,  some  have 
responded  with  an  attitude  of  “Who  cares?”, 
while  others  have  argued  that  the  Bell-LaPadula 
model’s  explication  of  security  consists  of 
something  more  than  the  the  model’s  definition 
of  secure  system  and  that  this  something  more 
rules  out  systems  such  as  Z.6  With  respect  to 
the  latter,  the  suggestion  is  that  the  model 
implicitly  includes  the  tranquility  principle, 
which  prohibits  changing  the  security  level  of 
an  (active)  object,  or  that  it  includes  the 
particular  Multics-based  rules  given  in  [3],  The 
first  suggestion  can  easily  be  dismissed  since 
the  tranquility  principle  is  clearly  not  part  of 
the  model  as  given  in  [3].  Not  only  is  it  not 
mentioned,  it  is  violated  by  rule  11  of  the 
Multics-based  interpretation  of  the  model.  This 
is  understandable  since  any  model  that  did  not 
permit  violations  of  tranquility  would  be  too 
confining  to  be  practical. 


6 All  responses  to  system  Z  considered  in  this 
section  are  taken  from  Computer  Security 
Forum  5,  18  (July  5,  1986),  ed.  Ted  Lee  for 
Arpanet  distribution.  System  Z  was  originally 
presented  in  issue  14  (June  22,  1986)  of  the 
Forum,  and  additional  responses  appeared  in 
issues  25  (September  23,  1986),  26  (October  5, 
1986),  27-29  (all  October  16,  1986),  and  30-31 
(all  December  9,  1986). 


The  second  suggestion  can  also  be 
dismissed,  but  not  as  easily  since  [3]  seems 
ambivalent  with  respect  to  it.  Hence,  we  read 
that  the  rules  are  one  of  the  model’s  three 
major  facets  [3,  p.  5],  yet  that  the  the  ss-,  and 
ds-properties  constitute  the  “system 
characteristics  that  we  desire  to  be  maintained” 
[3,  pp.  11-12]  and  that  the  rules  are  merely 
“one  specific  solution”,  a  particular  solution  that 
“is  in  no  sense  unique,  but  has  been  specifically 
tailored  for  use  with  a  Multics-based 
information  system  design. ”[3,  p.  19]  Though 
the  rules  are  presented  as  being  part  of  the 
model,  the  concept  of  a  solution  implies  that 
they  are  not  part  of  the  model  in  any  sense 
relevant  to  our  considerations.  If  one  explicates 
the  concept  of  a  Cartesian  point’s  being  five 
units  from  the  origin  by  requiring  that  the  point 
satisfies  the  equation  x2+y2  =  25  and  gives  (3,4) 
as  a  specific  solution,  we  cannot  conclude  that 
the  explication  requires  that  any  point  (x,y)  five 
units  from  the  origin  must  have  the  property 
that  x+y  =  7.  Similarly,  we  cannot  conclude  from 
the  particular  solution  Bell  and  LaPadula  give, 
that  a  secure  system  must  have  any  properties 
(beyond  the  properties  of  ss-,  and  ds- 

security)  that  the  particular  solution  has. 

Rather,  the  particular  system  they  specify 
serves  as  one  example  of  a  system  that 
provably  satisfies  their  definition  of  secure 
system.  This  is  meant  to  justify  our  belief  that 
the  specified  system  is  secure  in  some 
meaningful  sense.  Unfortunately,  since  system 
Z  is  another  system  that  satisfies  their 
definition  of  a  secure  system,  the  justification  is 
unconvincing.  Similarly,  we  cannot  be  sure  that 
any  system  does  not  contain  security  flaws  as 
serious,  if  not  as  obvious,  as  those  of  system  Z 
simply  because  it  satisfies  the  definition  of 
secure  system  provided  by  the  Bell-LaPadula 
model. 

Perhaps  the  most  compelling  reason  for 
believing  that  the  Multics-based  rules  provide 
only  an  example  of  a  secure  system  and  not 
further  properties  a  secure  system  must  have  is 
that  no  other  reading  of  [3]  makes  sense  of  the 
relation  between  the  definition  of  secure  system 
and  the  Multics-based  solution.  The  definition 
of  a  secure  system  and  the  particular  solution 
don’t  convey  the  same  set  of  constraints  so  it 
makes  no  sense  to  say  that  the  two  are  different 
explications  of  security.  Nor  does  it  make  sense 
to  say  that  the  rules  are  supposed  to  add 
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modes  in  which  an  element  of  S  can  have 
access  to  an  element  of  0. 

Bell  and  LaPadula  define  a  system  state  v  as 
an  element  of  V=(BxMxFxH),  where 

B  is  the  set  of  current  accesses  and  is 
equal  to  P  ( S  xO  xA ) ,  with  each  of  its 
elements  denoted  as  b ; 

M  is  the  access  permission  matrix,  where 
A^M  ij  is  the  set  of  access  modes  subject 
i  may  have  to  object  j; 

F  is  a  subset  of  L^xL^xL^  where  each  feF 
is  a  triple  consisting  of  fs,  the  security 
level  (clearance)  associated  with  each 
subject,  f0 ,  the  security  level 
(classification)  associated  with  each 
object,  and  fc,  the  current  security  level 

for  each  subject,  such  that  fs  dominates 
fc',  and 

H  defines  the  current  object  hierarchy  and 
is  of  no  concern  here. 

The  set  of  requests  (e.  g.,  to  acquire  or 
rescind  access  to  objects)  is  denoted  by  R, 
and  the  set  of  decisions  (e.  g.,  yes,  no,  error)  is 
denoted  by  D  .  W  £RxD  xV xV  represents  the 
actions  of  the  system:  (r,d,v2,vI)  represents  a 
request  r  yielding  a  decision  d  and  moving  the 
system  from  state  vj  to  v2.  Letting  T  be  the  set 
of  positive  integers  and  X,  Y,  and  Z  the  set  of 
functions  from  T  to  R ,  D ,  and  V,  respectively,  a 
system  E(R,D ,W ,zq)  is  a  su’>set  of  XxYxZ  such 
that  (x,y,z)e  E(R  ,D  ,W ,z0)  if  and  only  if 
(xt,yt,zt,zt.i)eW  for  each  te  T,  where  zq  is  the 
initial  state  of  the  system.  Each  triple 
(x,y ,z)eE(R,D ,W ,z0)  is  called  an  appearance  of  the 
system,  and  each  quadruple  (xt,yt,zt,zt.,)  is 
called  an  action  of  the  system. 

The  concept  of  a  secure  state  is  defined  by 
three  properties:  the  simple  security  (ss-) 
property ,  the  *  -property ,  and  the  discretionary 
security  (ds-)  property.  A  state  satisfies  the 
ss-property  if  for  each  element  of  b  that  has 
an  access  mode  of  read  or  write,  the  clearance 
of  the  subject  dominates  (in  the  partial  order) 
the  classification  of  the  object.  A  triple 
(s,o,x)  satisfies  the  ss-property  relative  to  / 
(rel  f)  if  x  is  execute  or  append,  or  if  x  is  read 
or  write  and  fs(s)  dominates  f0(o). 


A  state  satisfies  the  ^-property  if  for  each 
(s,o,x)  in  b,  the  current  security  level  of  s  is 
equal  to  the  classification  of  o  if  the  access  mode 
is  write,  dominates  the  classification  of  o  if  the 
access  mode  is  read,  and  is  dominated  by  the 
classification  of  o  if  the  access  mode  is  append. 
The  concept  of  a  triple  satisfying  the  * -property 
rel  f  is  analogous  to  satisfying  the  ss-property 
rel  f.  A  state  is  said  to  satisfy  the  *- 
property  relative  to  S',  where  S'cS,  if  this 
condition  holds  for  all  triples  of  b  in  which  seS'. 
Subjects  not  in  S’  (and  therefore  not  bound  by 
the  * -property  relative  to  S’)  are  called  trusted 
subjects.  It  is  worthwhile  noting  that  since  fs 
dominates  fc  the  *-property  implies  the  ss- 
property. 

A  state  satisfies  the  ds-property  if,  for  each 
member  of  b,  the  specified  access  mode  is 
included  in  the  access  matrix  entry  for  the 
corresponding  subject-object  pair.  The  concept 
of  a  triple  satisfying  the  ds-property  rel  M  is 
analogous  to  satisfying  the  ss-property  rel  f.  A 
state  is  secure  if  and  only  if  it  satisfies  the  ss- 
property,  the  *-property  relative  to  S',  and  the 
ds-property. 

In  addition  to  restricting  subjects  from 
having  direct  access  to  information  for  which 
they  are  not  cleared,  this  concept  of  security  is 
intended  to  prevent  the  unauthorized  flow  of 
information  from  a  higher  security  level  to  a 
lower  one.  The  * -property  relative  to  S' 
specifically  prevents  nontrusted  subjects  from 
simultaneously  having  read  access  to 
information  at  one  level  and  write  access  to 
information  at  a  lower  level. 

Bell  and  LaPadula  introduce  analogous 
constraints  on  a  system.  A  system 

appearance  (x,y,z)e E(R,D ,W,zq)  satisfies  the  ss- 
property  if  each  state  in  the  sequence  <zq,zj,...> 
satisfies  it.  A  system  satisfies  the  ss-property 
if  each  of  its  appearances  does.  Analogous 
definitions  introduce  the  notions  of  a  system 
satisfying  the  *-  and  ds-properties  and  the 
concept  of  a  secure  system.  Theorems  Al,  A2, 
and  A3  (see  below),  for  the  ss-,  and  ds- 

properties,  respectively,  show  that  a  system 
E(R,D ,W,z0)  satisfies  the  property  in  question 
for  any  initial  state  that  satisfies  the 
property  if  and  only  if  IT  (1)  adds  no  new 
elements  to  b  that  would  violate  the  property 
and  (2)  removes  any  elements  that,  following 
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the  state  change,  would  violate  that  property. 
The  BST  is  presented  without  proof  as  a 
corollary  of  theorems  Al,  A2,  and  A3: 

Basic  Security  Theorem:  A  system 

I(R,D,W,z0)  is  secure  iff  z0  is  a  secure  state 
and  W  satisfies  the  conditions  of  theorems  Al, 
A2,  and  A3  for  each  action. 3 

Theorem  Al:  I(R,D,W,z0)  satisfies  the  ss- 
property  for  any  initial  state  zq  that  satisfies 
the  ss-property  iff  W  satisfies  the  following 
conditions  for  each  action 
(Rif)i,(b*,M*ff,H*),(b,Mffl)): 

(i)  each  (s,o,x)eb*~b  satisfies  the  ss-property 
rel  f*; 

(ii)  if  (s,o,x)e  b  does  not  satisfy  the  ss- 
property  rel  /*,  then  ( s,o,x)<zb *. 

Theorem  A2:  Z(R,D ,W,z0)  satisfies  the  *- 
property  relative  to  S'  for  any  initial  state  z0 
that  satisfies  the  *-property  relative  to  S’ iff  W 
satisfies  the  following  conditions  for  each  action 
(Ri,Di,(b*,M*fc,H*),(b,MfJ1)): 

(i)  for  each  seS',  any  (s,o,x)eb*~b  satisfies  the 
*-property  with  respect  to  /*; 

(ii)  for  each  seS',  if  (s,o,x)eb  does  not  satisfy 
the  *-property  with  respect  to  /  *,  then 
(s,o,x)eb*. 

Theorem  A3:  Z(R ,D ,W ,zq)  satisfies  the  ds- 
property  iff  the  initial  state  z0  satisfies  the  ds- 
property  and  W  satisfies  the  following  condition 
for  each  action  (Ri,Di,(b* ,M*  f* ,H*),(b,Mf,H)): 

(i)  if  (s/c,oi,x)eb  *~b,  then  xeM*^; 

(ii)  if  (s/c,oi,x)eb  and  xeM*^,  then  (s^o^xjeb* . 

On  the  face  of  it  the  BST  looks  like  what  we 
want,  e.,  an  alternative  formulation  of  security 
given  in  terms  of  state  transitions  that  we  can 
compare  to  the  Bell-LaPadula  model,  but  it’s 


3  In  [3]  an  appearance  satisfies  the  ss-property 
if  each  state  in  <z/.z2,...>  satisfies  the  property; 
no  restriction  is  placed  on  zq.  Nevertheless,  the 
intent  is  clear  since  without  this  restriction,  the 
BST  as  stated  in  [3]  is  false.  See  [6], 


not.  The  reason  can  be  seen  by  examining  Al- 
A3:  the  concept  of  a  secure  action  (transform) 
is  defined  solely  in  terms  of  a  secure  state.  A 
transform  can  alter  b,f,  or  M  if  the  resulting 
state  does  not  violate  security.  Put  more  baldly, 
a  transform  is  defined  to  be  secure  if  it  leads  to 
a  secure  state.  The  trouble  with  the  theorem  as 
it  stands  is  that  if  our  definition  of  secure  state 
is  wrong,  our  theorem  is  unaffected.  In  fact  it 
has  been  shown  in  [6]  that  the  BST  holds  for 
any  system  as  long  as  its  state  sequence  is 
indexed  in  a  way  that  supports  induction.  The 
system  can  permit  subjects  to  read  up,  write 
down,  or  whatever.  What  we  need  to  justify  the 
Bell-LaPadula  model  is  an  independent 
definition  of  security  we  can  use  to  validate  our 
definition  of  a  secure  state. 

4.  A  Reformulation  of  the  Bell  and 

LaPadula  Model 

In  light  of  the  inadequacy  of  the  BST  to 
justify  the  Bell-LaPadula  model,  we  must 
develop  an  independent  definition  of  secure 
transform  or,  in  Bell  and  LaPadula’s 
terminology,  of  secure  action.  To  this  end, 
consider  the  following  definitions: 

Definition:  An  action 

(Ri,Di,(b*,M*f*,H*),(b,Mf,H))  is  ss-secure  iff 

(i)  if  (s,r,o)e  b*~b  or  (s,w,o)e  b*~b,  then/^fs) 
dominates  f0(o),  and  (M*f*,H*)=(Mf,Hf, 

(ii)  if  fs(s)^f*s(s),  then  (i)  b  does  not  contain 
any  triples  of  the  form  (s,r,o)  or  (s,w,o) 
where  f0(o)  is  not  dominated  by  f*s(s),  and 

(H)f*o=Uf*c=fo  and  (b*,M*,H*)=(b,M,H)- 

(iii) if  fo(o)^f*0(°)’  then  (i)  b  does  not  contain 
any  triples  of  the  form  (s,r,o)  or  (s,w,o) 
where  f*0(o)  is  not  dominated  by  fg(s)  and 
(ii)  f*s=fs>/*c=/c>  and  (b*,M* ,H*)=(b,M,H). 

Definition:  An  action 

(Ri,Di,(b*,M*f*,H*),(b,M,f,H))  is  * -secure  iff4 

(i)  if  (s,r,o)e b*~b  [(s,w,o)e b*~b,  ( s,a,o)eb*~b ], 
then  fc(s)  dominates  f0(o)  \f0(o)=fc(s),f0(o) 
dominates  fc(s)],  and  (M*,f*,H*)=(M,f,H); 


4For  simplicity,  we  assume  that  no  subjects  are 
trusted,  i.  e.,  that  S’=S. 
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(ii)  if  fc(s)*f* c(s)>  then  (1)  b  does  not  contain 
any  triples  of  the  form  (s,r,o)  [( s,w,o ),  (s,a,o)] 
where  f0(o )  is  not  dominated  f*c(s) 

lfo(°)*f*c(s)»f*c(s)  is  not  dominated  by 
fo(°)],  and  (2)  f*0  =fQ  ,  f*s=fs,  and 

(b*,M*rH*)=(b,MrH)\ 

(iii) if f0(o)*f* 0(o),  then  (1)  b  does  not  contain 
any  triples  of  the  form  (s,r,o)  [(s,w,o),  (s,a,o)] 
where  f*0(°)  is  not  dominated  fc(s) 

[f* o(°)*fc(5)’  fc(s)  is  not  dominated  by 
f*0(o))  and  (2 )  f*c=fc>  f*  s  =  fs>  and 
(b*,M*fi*)=(b,M,H). 

Definition:  An  action 

(Ri,Di,(b*,M*J*,H*),(b,Mf,H))  is  ds-secure  iff 

(i)  if  ( sx  ,<P  ,Oy  )  e  b  *  ~  b ,  then  tpeMXy  and 

(ii)  if  <pe  M Xy~M* Xy,  then  (f* ,H* )-(f,H )  and 
{(sx,<p,oy)}eb~b*-, 

(iii)  if  <pe M Xy~M* Xy  or  <pe M* Xy~M Xy,  then  the 
subject  executing  R  /  owns  oy  and 
(b*J*Ji*)=(bfJi)5 

Definition:  An  action 

(Ri,Di,(b*,M*,f*,H*),(b,M,f,H))  is  secure  iff  it  is 
ss-secure,  *-secure,  and  ds-secure. 

It  is  worthwhile  examining  this  definition 
in  detail.  On  the  face  of  it,  the  set  of  secure 
actions  is  exactly  the  set  of  actions  that  meet 
the  conditions  of  the  BST.  This  is  partly  correct 
in  that  a  secure  action  always  takes  one  secure 
state  to  another,  as  is  proven  in  the  following 
theorem. 

Theorem:  A  system  Z(R,D ,W,z0)  is  secure  if  zq 
is  a  secure  state  and  each  action 
(Ri,Di,(b*,M*J*,H*),(b,Mf,H))sW  is  secure. 

Proof:  We  prove  the  theorem  by  induction. 

Since  zq  is  secure  by  hypothesis,  we  can  limit 
ourselves  to  the  case  where  zn  is  secure  and 


5There  is  really  no  analogue  to  this  condition  in 
the  Bell-LaPadula  axioms,  but  it  seems  an 
intuitive  requirement.  Nothing  in  this  paper 
depends  on  secure  actions  having  this  property. 


show  that  zn+1  must  be  secure.  We  show  this 
by  proving  that  if  W  consists  entirely  of  secure 
actions  and  if  zn  is  secure,  then  any  action  in  W 
applied  to  zn  satisfies  the  conditions  of  the  BST. 
Since,  as  noted  in  Section  3  above,  the  *- 
property  implies  the  ss-property,  A2  implies  A1 
so  we  only  have  to  consider  A2  and  A3.  For  A2 
to  be  false,  there  must  be  a  (s,o,x)eb*  that  fails 
to  satisfy  the  *-property  rel  /*.  Since  zn  is 
secure  by  hypothesis,  either  (s,o,x)  is  a  new 
access  or  /  was  changed  by  W  so  as  to  violate  *- 
security.  The  latter  is  impossible  since  by 
clauses  (ii)  and  (iii)  of  the  definition  of  a  *- 
secure  action  /  can  only  be  so  altered  if  b*  -b 
and  b  is  *- secure  relative  to/*.  Alternatively,  if 
(s,o,x)  was  added  by  W ,  clause  (i)  of  the 
definition  of  a  *-secure  action  guarantees  that 
(s,o,x)  is  *-secure  rel  /=/*,  and  hence,  that  A2  is 
true.  For  A3  to  be  false,  there  must  be  a 
(s/c,Oi,x)e b*  such  that  xeM*^.  Since  zn  is  secure 
by  hypothesis,  either  b**b  or  M*  ^  If  the 
former,  then  clause  (i)  of  the  definition  of  a  ds- 
secure  action  guarantees  that  the  added  access 
is  secure  relative  to  M*=M ,  and  hence,  that  A3  is 
true.  If  the  latter,  then  an  access  must  have 
been  dropped  from  M.  But  clause  (ii)  of  the 
definition  of  a  ds-secure  action  guarantees  that 
this  same  access  must  have  been  dropped  from 
b  so  A3  is  again  true,  and  we  are  done.l 

Hence,  secure  actions  applied  to  a  secure 
state  lead  to  a  secure  state,  and  in  this  respect, 
our  definitions  mirror  the  BST.  However, 
although  our  definition  of  a  secure  action 
satisfies  the  i/-clause  of  the  BST,  it  fails  the  only 
if- clause.  It’s  not  the  case  that  any  action  that 
takes  a  system  from  one  secure  state  to  another 
secure  state  is  secure.  As  an  example,  consider 
the  system  Z  whose  initial  state  is  secure  and 
that  has  only  one  type  of  action: 

When  a  subject  s  requests  any  type  of 
access  to  an  object  o,  every  subject 
and  object  in  the  system  is 
downgraded  to  the  lowest  possible 
level,  permission  is  entered  into  the 
access  matrix  M ,  and  the  access  is 
recorded  in  the  current  access  set  b. 

It  is  easy  to  see  that  system  Z’s  actions  always 
leads  to  a  secure  state  (in  the  Bell-LaPadula 
sense)  and  hence  that  system  Z  is  certifiably 
secure  by  the  lights  of  the  Bell-LaPadula  model. 
But  though  system  Z  satisfies  the  BST  and  the 
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Bell-LaPadula  model’s  definition  of  secure 
system,  it  fails  to  satisfy  the  conditions  required 
by  our  definition  of  a  secure  action.  The  fact 
that  a  definition  of  a  secure  system  formulated 
in  terms  of  our  definition  of  a  secure  action  is 
supposed  to  explicate  the  same  concept  as  Bell 
and  LaPadula’s  definition  shows  that  either  the 
former  is  too  narrow  or  the  latter  is  too  wide. 

The  fact  that  system  Z  gives  all  subjects 
access  to  all  objects  shows  that  it  is  the  Bell- 
LaPadula  model  that  is  inadequate.  In  fact,  it 
should  be  clear  that  any  explication  of  security 
based  solely  on  the  notion  of  a  secure  state 
must  fail  for  a  similar  reason.  At  best  such  an 
explication  can  serve  as  a  definition  a  secure 
initial  state.  The  concept  of  a  secure  system 
must  be  explicated  as  one  whose  initial  state  is 
secure  and  whose  system  transform  is  secure. 

5.  The  Bell  and  LaPadula  Model 
Reconsidered 

When  presented  with  system  Z,  some  have 
responded  with  an  attitude  of  “Who  cares?”, 
while  others  have  argued  that  the  Bell-LaPadula 
model’s  explication  of  security  consists  of 
something  more  than  the  the  model’s  definition 
of  secure  system  and  that  this  something  more 
rules  out  systems  such  as  Z.6  With  respect  to 
the  latter,  the  suggestion  is  that  the  model 
implicitly  includes  the  tranquility  principle, 
which  prohibits  changing  the  security  level  of 
an  (active)  object,  or  that  it  includes  the 
particular  Multics-based  rules  given  in  [3].  The 
first  suggestion  can  easily  be  dismissed  since 
the  tranquility  principle  is  clearly  not  part  of 
the  model  as  given  in  [3].  Not  only  is  it  not 
mentioned,  it  is  violated  by  rule  11  of  the 
Multics-based  interpretation  of  the  model.  This 
is  understandable  since  any  model  that  did  not 
permit  violations  of  tranquility  would  be  too 
confining  to  be  practical. 


6 All  responses  to  system  Z  considered  in  this 
section  are  taken  from  Computer  Security 
Forum  5,  18  (July  5,  1986),  ed.  Ted  Lee  for 
Arpanet  distribution.  System  Z  was  originally 
presented  in  issue  14  (June  22,  1986)  of  the 
Forum,  and  additional  responses  appeared  in 
issues  25  (September  23,  1986),  26  (October  5, 
1986),  27-29  (all  October  16,  1986),  and  30-31 
(all  December  9,  1986). 


The  second  suggestion  can  also  be 
dismissed,  but  not  as  easily  since  [3]  seems 
ambivalent  with  respect  to  it.  Hence,  we  read 
that  the  rules  are  one  of  the  model’s  three 
major  facets  [3,  p.  5],  yet  that  the  the  ss-,  *-,  and 
ds-properties  constitute  the  “system 
characteristics  that  we  desire  to  be  maintained” 
[3,  pp.  11-12]  and  that  the  rules  are  merely 
“one  specific  solution”,  a  particular  solution  that 
“is  in  no  sense  unique,  but  has  been  specifically 
tailored  for  use  with  a  Multics-based 
information  system  design.”[3,  p.  19]  Though 
the  rules  are  presented  as  being  part  of  the 
model,  the  concept  of  a  solution  implies  that 
they  are  not  part  of  the  model  in  any  sense 
relevant  to  our  considerations.  If  one  explicates 
the  concept  of  a  Cartesian  point’s  being  five 
units  from  the  origin  by  requiring  that  the  point 
satisfies  the  equation  x2+y2=25  and  gives  (3,4) 
as  a  specific  solution,  we  cannot  conclude  that 
the  explication  requires  that  any  point  (x,y)  five 
units  from  the  origin  must  have  the  property 
that  x+y-7 .  Similarly,  we  cannot  conclude  from 
the  particular  solution  Bell  and  LaPadula  give, 
that  a  secure  system  must  have  any  properties 
(beyond  the  properties  of  ss-,  *-,  and  ds- 
security)  that  the  particular  solution  has. 

Rather,  the  particular  system  they  specify 
serves  as  one  example  of  a  system  that 
provably  satisfies  their  definition  of  secure 
system.  This  is  meant  to  justify  our  belief  that 
the  specified  system  is  secure  in  some 
meaningful  sense.  Unfortunately,  since  system 
Z  is  another  system  that  satisfies  their 
definition  of  a  secure  system,  the  justification  is 
unconvincing.  Similarly,  we  cannot  be  sure  that 
any  system  does  not  contain  security  flaws  as 
serious,  if  not  as  obvious,  as  those  of  system  Z 
simply  because  it  satisfies  the  definition  of 
secure  system  provided  by  the  Bell-LaPadula 
model. 

Perhaps  the  most  compelling  reason  for 
believing  that  the  Multics-based  rules  provide 
only  an  example  of  a  secure  system  and  not 
further  properties  a  secure  system  must  have  is 
that  no  other  reading  of  [3]  makes  sense  of  the 
relation  between  the  definition  of  secure  system 
and  the  Multics-based  solution.  The  definition 
of  a  secure  system  and  the  particular  solution 
don’t  convey  the  same  set  of  constraints  so  it 
makes  no  sense  to  say  that  the  two  are  different 
explications  of  security.  Nor  does  it  make  sense 
to  say  that  the  rules  are  supposed  to  add 
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additional  constraints  that  a  secure  system  must 
meet.  For  one  thing,  their  Multics  orientation 
makes  them  too  restrictive  to  serve  this 
purpose  [3,  pp.  20-25],  and  for  another,  on  this 
interpretation  the  Bell-LaPadula  definition  of 
secure  system  would  serve  no  purpose.  It 
would  be  redundant  since  any  system  that 
meets  the  conditions  implicit  in  the  rules 
satisfies  the  definition.  Finally,  this 
interpretation  does  not  do  justice  to  the  text.  If 
the  rules  were  to  be  included  in  the  concept  of 
being  a  secure  system,  then  the  definition  of 
such  a  system  would  say  that  it  must  satisfy  the 
ss-,  and  ds-security  properties  and  the  rules, 
the  BST  would  have  to  include  the  rules,  etc. 

The  only  alternative  is  our  view  that  the 
Bell-LaPadula  definition  of  secure  system  is 
supposed  to  provide  all  the  security-relevant 
constraints  such  a  system  must  meet.  And 
though  system  Z  shows  that  this  view  is 
untenable,  it  is,  in  fact,  the  only  option  that 
makes  sense.  Those  who  accept  this  view  yet 
are  still  complacent  about  system  Z  seem  to 
view  the  Bell-LaPadula  model  as  only  a 
framework  for  representing  systems,  rather 
than  as  a  criterion  that  secure  systems  should 
conform  to.  In  this  view  showing  that  a  system 
conforms  to  the  model  says  nothing  about 
whether  the  system  is  secure.  Ignoring  the 
question  of  why  we  need  such  a  complicated 
framework  for  modeling  systems  and  the 
question  of  whether  this  claim  makes  sense  in 
light  of  the  prominent  role  played  by  the 
definition  of  secure  system  in  the  model,  we  can 
still  say  that  this  view  certainly  runs  counter  to 
the  way  the  model  is  generally  regarded  by  the 
computer  security  community.7  If  nothing  else, 
the  fact  that  there  can  be  so  much  disagreement 
over  something  so  established  and  so 
fundamental  is  sufficient  to  cause  concern  and 


7 See,  e.  g.,  [8,  pp.  64-65,  89,  111]  which  all  but 
requires  that  a  formal  security  policy  model 
used  for  formal  design  verification  be  state- 
based  a  la  the  Bell-LaPadula  model,  and  which 
states  both  that  such  design  verification  “can 
effectively  protect  classified  or  other  sensitive 
information  stored  or  processed  by  the  system” 
and  that  “the  *-property  is  sufficient  to  prevent 
the  compromise  of  information  by  Trojan  Horse 
attacks.”  System  Z  shows  that  both  claims  are 
false. 


provide  ample  reason  for  dismissing  a  response 
of  “Who  cares?”. 

6.  Foundations  for  Computer  Security 

Several  comments  are  in  order.  First,  as 
noted  above,  the  definitions  of  secure  actions 
are  more  restrictive  than  what  is  required  by 
the  Bell-LaPadula  model.  Some  of  them 
could  change  without  violating  security.  For 
example,  part  ( ii )  of  the  definition  for  ds- 
security  could  prohibit  subjects  from  removing 
permissions  to  their  files  if  it  meant  removing  a 
current  access.  However,  though  such  a  change 
alters  the  flavor  of  our  concept  of  security,  it 
does  not  yield  a  strikingly  different  one.  A  more 
significant  change  would  be  to  follow  [9]  and 
introduce  a  system  security  officer  and  the 
concept  of  a  role,  such  as  downgrader .  Such 
possible  changes  may  be  necessary  (see  below) 
and,  at  the  least,  raise  the  question  of  why  we 
prefer  one  formulation  over  another. 

Second,  we  must  decide  where  the  original 
Bell-LaPadula  model  fits  in.  For  a  system  to  be 
secure,  its  actions  must  be  secure  by  the 
definitions  given  above,  and  its  initial  state 
must  meet  the  definition  of  a  secure  state 
given  by  Bell  and  LaPadula.  However,  this 
leaves  us  with  a  hybrid  definition  of  security 
and  not  two  separate  definitions  we  can 
compare.  Further,  it  should  be  clear  that  no 
explication  of  security  can  be  based  solely  on 
the  notion  of  a  secure  transition.  The  concept  of 
a  secure  initial  state  is  always  required. 

The  last  statement  is  the  rub.  System  Z 
shows  that  no  adequate  explication  of  security 
can  be  based  solely  on  the  notion  of  a  secure 
state,  and  we  have  just  seen  that  there  can  be 
no  adequate  explication  based  solely  on  the 
notion  of  a  secure  transition.  Hence,  our  original 
plan  of  comparing  two  explications  of  security, 
though  successful  in  showing  an  inadequacy  in 
the  Bell-LaPadula  Model,  ultimately  fails.  Our 
hybrid  approach  may  be  adequate,  but  we  have 
no  alternative  explication  to  compare  with  it. 
We  can  appeal  to  intuition,  but  such  appeals  are 
insufficient,  especially  in  light  of  weaknesses 
displayed  in  the  intuitively  correct  Bell- 
LaPadula  Model.  In  fact,  since  neither  model 
has  a  system  security  officer,  our  reformulation 
shares  with  the  original  model  what,  to  my 
taste,  is  an  all  too  cavalier  approach  to  altering 
fs  and  fa.  The  ability  to  raise  a  subject’s  fs  as 
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long  as  it  has  no  current  accesses  or  lower  an 
object’s  f0  as  long  as  no  subject  is  currently 
accessing  it  can  obviously  lead  to  security 
breeches.  Even  the  ability  to  alter  fc  is 
unsettling.  If  processes  have  no  memory,  then 
the  * -property  is  too  restrictive  since  there  is  no 
need  to  prohibit  a  write  down  as  long  as  nothing 
is  concurrently  being  read  on  a  higher  level.  If 
processes  have  memory,  freely  lowering  fc 

obviously  presents  problems.8 

The  moral  may  be  that  we  should  change 
tactics.  Instead  of  searching  for  some  Platonic 
form  of  security,  it  may  be  time  to  realize  that 
there  are  several  concepts  of  security  that 
bear  only,  to  use  Wittgenstein’s  phrase,  a  family 
resemblance  to  each  other.  If  this  is  correct,  our 
task  should  be  to  look  at  each  application 
separately  where  our  intuitions  are  more 
reliable  and  explicate  the  concept  of  security 
relevant  to  it  [9]. 

In  any  event,  it  is  certainly  time  for  the 
computer  security  community  to  begin  a 
thorough  examination  of  our  foundations.  The 
Bell-LaPadula  model  was  a  monumental  piece  of 
work,  but  it  has  lived  in  an  overly  sheltered 
environment  which  has  permitted  it  to  survive 
beyond  its  rightful  time.  Like  a  pampered 
offspring,  it  has  endured,  not  because  it  is  fit, 
but  because  it  has  been  protected  from  harm. 

As  it  is  presented  in  [3],  the  model  is 
inadequate  to  bear  the  weight  the  computer 
security  community  has  placed  on  it,  and  those 
who  insist  on  its  soundness  have  conflicting 
views  of  it  which  are  inconsistent  with  [3]. 
Hence,  we  have  developed  an  environment 
where  our  documented  foundations  are 
inadequate,  yet  shielded  from  adversity  by 
appeals  to  implicit  assumptions  “which 
everybody  knows  about”  (even  if  people 
disagree  on  what  these  assumptions  are!).  Such 
an  environment  prevents  the  examination  of 
the  foundations  that  actually  underlie  our 
systems  and  will  eventually  impede  the 


8 1  first  heard  this  point  from  Debbie  Cooper. 
The  only  interpretation  of  the  *-property  I  can 
think  of  that  makes  sense  is  if  we  assume  that 
processes  can  remember  things,  but  only  until 
their  current  security  level  changes.  Even  then, 
the  property  should  only  prohibit  writing  to  a 
lower  level  than  a  previous  read. 


development  of  new  systems.  Until  the  implicit 
foundations  many  in  the  computer  security 
community  claim  to  exist  are  documented  and 
subjected  to  critical  scrutiny,  our  faith  in  our 
systems  will  be  unjustified.  Perhaps  worse,  we 
will  be  doomed  to  a  cycle  where  as  practitioners 
retire,  the  assumptions  that  “everybody  knows” 
will  be  forgotten,  leaving  only  the  information 
contained  in  the  false  publications,  and  then 
rediscovered  as  our  new  systems  fail,  only  to  be 
forgotten  again.  Such  is  the  path  to  neither 
science  nor  security. 
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